CertiGuide to Network+  9  Chapter 1000:  Security in the Real World

Encryption for Data Transmission 1 Proxy Servers and Firewalls

By definition, a firewall filters and controls data between networks. The most typical firewall installation occurs between the corporate LAN and the Internet. With both the cost and installation headache of installing firewalls dropping rapidly, firewalls are being installed between sensitive areas and the rest of the company. Firewalls used to be the province of large companies with $20,000 or more to spend on protecting their network, and a very security-savvy network engineer on site. In recent years, simplified low-end firewalls have become available for home and SOHO (small office/home office) users as well, and are frequently used to protect home networks connected to the Internet via an always-on (dial-up not required) technology such as DSL or cable Internet.

Using a firewall, you can set up rules to control access to your LAN by certain types of traffic from out on the Internet, based on a variety of criteria. You might choose to deny incoming traffic if its source IP address matches that of a site with whom you’ve had “cracker problems” in the past. Or you might choose to deny incoming traffic on the ftp (or any other Internet service) port, if you don’t want users on the Internet to access that service on your Internet-connected system.

If incoming traffic for a particular port is blocked, an outside user trying to access the service at that port (for example, port 80 for http or 23 for telnet) will see their application hang, waiting for access, or simply return a not accessible message, depending on the firewall being used.

Just as firewalls can be used to block traffic coming in, they can also be used to block traffic going out. For instance, a company might desire to prevent its employee users from accessing their personal electronic mailbox at their personal ISP, over the corporate Internet connection. To do this, they could deny outgoing traffic on their LAN, which is destined for ports 110 (POP3) and 25 (SMTP) on Internet systems outside their network. The author has even heard of ftp transfers out to sites on the Internet being blocked by software development companies who take every possible step to make sure that their source code does not get distributed outside their organization.

Encryption for Data Transmission 1 Proxy Servers and Firewalls